Unleash the power of ThreatLocker® Detect

Comprehensive Endpoint Detection and Response (EDR) so you can be proactive in the fight against cyber threats.

What is ThreatLocker® Detect?

ThreatLocker® Detect is a policy-based Endpoint Detection and Response (EDR) solution. This EDR addition to the ThreatLocker Endpoint Protection Platform watches for unusual events or Indicators of Compromise (IoCs). ThreatLocker Detect can send alerts and take automated actions if an anomaly is detected. ThreatLocker Detect leverages the vast telemetry data collected from other ThreatLocker modules and Windows Event logs. This info gives essential insights into an organization's security, enabling them to identify and remediate possible cyber threats.

Why ThreatLocker® Detect?

ThreatLocker Detect has an edge over other EDR tools in detecting and responding to potential threats. Its advanced technology identifies and addresses known malicious activities while providing extensive coverage of events beyond just known ones. ThreatLocker Detect automated responses can give information, enforce rules, disconnect machines from the network, or activate lockdown mode quickly. When Lockdown mode starts, it blocks all activities, including task execution, network access, and storage access, ensuring maximum security. ‍With the capability of detecting remote access tools or PowerShell elevation, ThreatLocker Detect also identifies events such as abnormal RDP traffic or multiple failed login attempts. Furthermore, the platform can determine if an event log is erased or if Windows Defender finds malware on a device. This proactive approach enables organizations to swiftly identify and respond to potential threats before they can cause significant damage.

How does it work?

ThreatLocker Detect continuously monitors the behavior of trusted and untrusted applications across all devices where the ThreatLocker Agent is installed. IT Experts can make custom rules and policies for decision-making instead of relying on AI or undisclosed criteria. These policies can have a set of conditions or responses that look for behaviors based on a threshold that indicates a compromise may have occurred. When conditions are met, ThreatLocker Detect will automatically respond based on the rules created. These policies are constantly evaluated in real-time by the ThreatLocker agent on your endpoint, which means your policies are enforced in milliseconds whether or not your endpoint is connected to the internet. IT experts can have complete control over their priorities and event responses. This level of automation and control ensures that incident response actions align with the organization's overall security strategy.

Detect anomalies in Microsoft 365

ThreatLocker Detect will identify unexpected and unwanted behavior in your Microsoft 365 cloud environment, which could indicate a cyberattack. ThreatLocker Detect cloud policies will use Microsoft 365 Logs and Detect policies to communicate with ThreatLocker administrators about any potential indications of compromise discovered. Policies can be customized to meet your specific requirements using any fields from the Microsoft 365 or Microsoft Graph API logs. ThreatLocker Detect can work with Microsoft Entra P2 to alert on:

• Users with leaked credentials - if a user's credentials have been compromised (e.g., due to a data breach), it raises a risk flag.
• Sign-ins from anonymous IP addresses - it's considered risky when a user signs in from an IP address without proper identification.
• Impossible travel to atypical locations - if a user's sign-in location is geographically implausible (e.g., sudden travel across continents), it's flagged.
• Sign-ins from infected devices - if a user signs in from a device known to be infected with malware, it's considered risky.